- From: Eugene Kuznetsov <eugene@datapower.com>
- Date: Mon, 7 Jan 2002 16:32:15 -0500
- To: "Mark Nottingham" <mnot@mnot.net>, "Mark Baker" <distobj@acm.org>
- Cc: "Henrik Frystyk Nielsen" <henrikn@microsoft.com>, "Krishna Sankar" <ksankar@cisco.com>, <xml-dist-app@w3.org>
> I would strongly urge the group not to pursue this; although it seems > like a good/friendly thing to do, it encourages people to trust (or > not trust) traffic by port, which is unrealistic and dangerous. I cannot resist pointing out that this is exactly what people do with their firewalls and content switches today. Leaving aside whether it is proper or dangerous, "unrealistic" is thinking that people do not use TCP ports to filter, classify and route their IP network traffic. Indeed, one of the reasons oft-cited for SOAP over HTTP is explicitly the fact that because many enterprise firewalls block all incoming ports other than port 80, putting SOAP over port 80 is a win! (The "catch-22" again). The ability to associate application expectations for traffic on a certain TCP port is important. Yes, in itself it is not a guarantee of security or correct application behavior -- you may still verify those expectations (e.g., "I'm a firewall and I expect HTTP only on port 80, verify that to be the case"), but it is a vital part of the network infrastructure today. \\ Eugene Kuznetsov \\ eugene@datapower.com \\ DataPower Technology, Inc.
Received on Monday, 7 January 2002 16:27:23 UTC